Generating a memberOf attribute for posixGroups

2013-07-22T13:56:10 <m0zes> hello, all. I am looking to
setup keystone with an ldap backend. I need to filter
users based on group membership, in this case a
non-rfc2307 posixGroup. This means that memberOf doesn't
show up, and that the memberUid in the group is not a
dn. any thoughts on how to accomplish this?

It turns out that this is a not uncommon question, so I spent some
time today working out a solution using the dynlist overlay for
OpenLDAP.

Assumptions

That is, members are recorded in the memberUid attribute which
corresponds to the uidNumber attribute of a user object.

Loading the dynlist module

This solution makes use of the dynlist dynamic overlay, so you’ll
first need to make sure that module is loaded. Most modern OpenLDAP
deployments make use of the new slapd.d configuration directory,
which means you’ll modify your configuration by loading the following
LDIF file:

You would load this into your running instance with something like the
following:

# ldapadd -Y EXTERNAL -H ldapi://%2fvar%2frun%2fldapi -f dynlist.ldif

This makes certain assumptions about how your permissions are
configured (in particular, it assumes that your server is configured
to permit administrative access to system UID 0 when accessing the
ldapi socket).

If you already have a cn=modules{0},cn=config object, you’ll need to
modify instead using the following:

Schema modifications

In an ideal world, we would be able to make our solution populate the
standard memberOf attribute. Unfortunately, this is an
“operational” attribute in OpenLDAP, which means we can’t make it
available to a user class…so, we’re going to define (a) a new
attributeType that is largely identical to the memberOf attribute,
and (b) a new auxiliary object class that allows the new attribute.

This gives us the obMemberOf attribute and the obPerson object
class. NOTE: the OIDs I’m using here are using my own
IANA-assigned OID prefix. You should replace 1.3.6.1.4.1.24441 with
your own OID prefix. If you don’t have one (and you’re sure your
organization doesn’t already have one), you can register for your
own.

Defining a dynamic list

We’re going to configure the dynlist overlay so that when it sees an
obPerson object, it will use the labeledURI attribute of that
object to generate a list of obMemberOf attributes containing the
distinguished names of the groups of which the user is a member.
We’ll load the following LDIF file into our server:

Note that the distinguished name for this entry depends on the DN of
the database which you are configuring, so you’ll need to modify the
olcDatabase= component in the DN.

Setting user attributes

With the above configuration in place, we can now add the necessary
labeledURI attribute to a user and see what happens. For our
purposes, this attribute needs to contain an LDAP URI that returns the
groups of which the user is a member. Assuming a user like this: